Identifying Input-Dependent Jumps from Obfuscated Execution using Dynamic Data Flow Graphs

Abstract

A method to identify input-dependent jumps from the execution of obfuscated machine code is presented. Input-dependent jumps, which are defined as jumps whose target addresses can be changed depending on the input, correspond to decision points in program execution. By investigating how a target address is calculated, it is possible to pinpoint the triggering conditions of a given behavior, and new execution paths can be discovered by finding input values that change the target address. Obfuscators hinder such analysis by inserting numerous artificial jumps that use opaque predicates with constant values into the code. One important obfuscation approach is virtualization-obfuscation, in which entire blocs of control flow information are replaced with bytecode interpreter code. Using the fact that the semantics of the original program must be preserved under obfuscation, we propose an obfuscation mitigation approach that exploits the relationship between the original and obfuscated executions using dynamic data flow graphs that represent output computation using concrete and symbolic information. These graphs are generated from execution traces that are recorded using dynamic binary instrumentation and simplified using pattern-based rules based on algebraic identities and the general properties of well-behaved programs. To identify input-dependent jumps, a dynamic data flow graph is generated and simplified for each write access to the program counter; if the node for the target address is reachable from a node for an input value in the resulting graph, the jump is input-dependent. Experimental application of the proposed approach to code treated with various obfuscators successfully revealed the relationship between input-dependent jumps in the original and obfuscated executions, confirming that information obtained from dynamic data flow graphs is useful in understanding branch conditions.